New Type of Database Vulnerability On the Rise: Database Pros Stay Vigilant

In 2007, database professionals need to be vigilant in monitoring their database communication protocols for potential security vulnerabilities. In a recent conversation with our editors, Amichai Shulman, CTO at Imperva (http://www.imperva.com) and Alan Norquist, Imperva’s vice president of marketing, gave us their insights about the new kinds of vulnerability exploits that database professionals might see in upcoming months. Shulman, who is the head of the Imperva Application Defense Center (ADC), a research and security services center, explained, “Until a year ago, most vulnerabilities were related to built-in stored procedures and packages that are supplied with database solutions. But in the past year, we’ve seen a new type of vulnerability related to communication protocols between clients and servers. These protocols aren’t exposed to a variety of traffic, but if you dig into their implementation, you can find vulnerabilities.” Shulman notes that Imperva’s researchers have seen a lot more exploits related to these protocol vulnerabilities, and he predicts, “This is a trend I think we’ll see in the coming year.”

Shulman stressed, “No real workarounds exist yet for these kinds of exploits—you can’t fix them within the database server.” To help database pros locate these hard-to-track vulnerabilities, Imperva released Scuba, a free database-vulnerability scanner for SQL Server, Oracle, Sybase, and IBM DB2. The Scuba product scans your database, identifies known vulnerabilities and misconfigurations, and tells you the overall security status of your database. Then, you can decide what to do about plugging the holes. The tool is a simple download that’s easy to run, and it doesn’t use attack techniques to determine whether vulnerabilities exist, so it’s safe.

It’s important to do periodic security scans of your database simply because the database is an ever-changing environment. “Microsoft has done a great job lately locking down the default security settings in SQL Server,” says Shulman. “But after deployment, things change—settings get changed, data needs change, people leave the company. This tool lets you do continuing assessments of the database environment so that you can stay on top of those changes.”

An important point in making the new offering freeware, said Norquist, is that it’s intended to be a starting point that helps you see what your next step needs to be. Norquist explained, “Once you identify a vulnerability, you have several paths open to you to fix it.” If you find that you have a vulnerability that you can’t get rid of, Imperva provides other security products to help you plug those holes. “For example,” Norquist said, “say you have a stored procedure that could allow a user to get system administrator privileges, but you have an application that requires that stored procedure. We provide products that can prevent exploits of those vulnerabilities.”

Imperva will provide ongoing updates to the Scuba freeware product. You can download Scuba at http://www.imperva.com/scuba.